February 13, 2020

New CFIUS Regulations Finally Take Effect

Holland & Knight Alert
Antonia I. Tzinova


  • Regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect on Feb. 13, 2020.
  • The new rules build on FIRRMA and are intended to strengthen the oversight and expand the jurisdictional reach of the Committee on Foreign Investment in the U.S. (CFIUS).
  • Additional rules on fees, penalties and other procedural matters, as well as rolling back some of the requirements of the CFIUS Pilot Program on critical technologies, are expected in the near future.

After a few years of debating and making into law, the Committee on Foreign Investment in the U.S. (CFIUS) regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect on Feb. 13, 2020. The new rules are intended to strengthen the oversight and expand the jurisdictional reach of CFIUS.

CFIUS released on Jan. 13, 2020, two final sets of regulations to implement some of the more significant jurisdictional changes that FIRRMA mandated. Additional rules on fees, penalties, and other procedural matters, as well as rolling back some of the requirements of the CFIUS Pilot Program on critical technologies, are expected in the near future.

CFIUS is an interagency committee chaired by the Secretary of the Treasury that is authorized to review certain foreign investment transactions in the United States that pose a threat to national security. Since its inception in 1975, CFIUS has confronted both shifting concepts of national security and a changing global economic order, marked by the rise of new emerging markets and state-led firms that are playing a more active role in the global economy.

Established by President Gerald Ford to respond to fears that OPEC investments in the U.S. economy were threatening national security, CFIUS has subsequently tackled evolving concerns sparked by various global developments. These include Japanese investments in the 1980s that resulted in congressional passage of the Exon-Florio law, granting the president the power to block proposed or pending foreign mergers, acquisitions, or takeovers that threatened to impair national security; Arab investments in the wake of 9/11 that culminated in the political firestorm caused by Dubai Ports World's proposed takeover of the U.S. maritime terminal operations of P&O Ports resulting in the Foreign Investment and National Security Act of 2007 (FINSA), which specifically called transactions involving critical infrastructure as subject to CFIUS jurisdiction and codified CFIUS practices; and recently Chinese investments on the background of geopolitical and technological ambitions – particularly in the areas of semiconductors and 5G technology – have resulted in FIRRMA and the new CFIUS regulations.

With some changes to accommodate industry comments from more than 60 organizations, the new CFIUS regulations build on the Nov. 10, 2018, Pilot Program concerning critical technologies and the proposed rules of Sept. 17, 2019. The new rules include an interim rule on the new definition for "principal place of business," on which CFIUS is seeking public comments by Feb. 18, 2020.1

CFIUS also plans to issue additional rules to scale back some of the requirements introduced by the Pilot Program (reportedly moving away from North American Industry Classification System (NAICS) codes to export controlled categories), and introducing filing fees.

Major Changes Under the New Regulations

Before FIRRMA, CFIUS reviews were only triggered when an acquisition resulted in foreign "control" of a U.S. business that might pose a threat to U.S. national security. CFIUS termed these acquisitions "covered transactions." The concept of "national security" was purposefully not defined and interpreted broadly by CFIUS to allow maximum flexibility in determining the outcome of a transaction.

FIRRMA expanded CFIUS jurisdiction in two key ways. First, FIRRMA permits CFIUS to review certain "other" investments – namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as TID businesses for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business's decision-making with respect to the technology, infrastructure, or data.

Second, FIRRMA allows CFIUS to review certain real estate transactions, which would not otherwise fall under the jurisdiction of CFIUS, including undeveloped land, which were previously exempt from review as "greenfield" investments. Broadly, the proposed regulations define covered real estate as real estate that is: a) located within or functioning as part of a "covered port" (either airport or maritime port), b) located within close proximity of military installations and other government facilities, c) located within an extended range of certain military installations or d) any part of certain military installations located within the territorial sea of the United States. (See Holland & Knight's previous alert, "Foreign Ownership of Real Estate: New Rules from CFIUS," Oct. 16, 2019.)

This alert focuses on some of the most significant changes to CFIUS review of investment in a U.S. business, whether controlling or non-controlling investments (Part 800 of the CFIUS regulations). It also analyzes CFIUS' response to industry concerns with the proposed regulations, and how the rule was modified in the final regulations.

1. Non-Controlling Investments in a TID Business

Under the new regulations, in addition to controlling investments, foreign non-controlling investments (or covered investments) are subject to CFIUS jurisdiction if 1) the acquired U.S. business qualifies as a TID business and 2) the minority foreign investment is allowed a) access to material nonpublic technical information, b) membership or observer rights on the board of directors or equivalent governing body or c) substantive involvement in the U.S. business' decision-making with respect to the technology, infrastructure, or data.2,3

  • Technologies: Critical technologies are defined as (i) items on the United States Munitions List, (ii) items on the Commerce Control List, (iii) nuclear equipment controlled under 10 C.F.R. Part 110; (iv) select agents and toxins covered under 7 C.F.R. Part 331, 9 C.F.R. Part 121, or 42 C.F.R. Part 73; or (v) "emerging and foundational technologies" controlled under the Export Control Reform Act of 2018 (ECRA).4
  • Infrastructure: Covered investment critical infrastructure is a new term introduced by CFIUS in drafting the new regulations. This is a subset of critical infrastructure5 specifically listed in Appendix A to new Part 800 that a U.S. business owns, operates, manufactures, supplies or services. Non-controlling investments in this category are now also subject to CFIUS jurisdiction. Examples include certain internet protocol networks, telecommunication services, internet exchange points, submarine cable systems and landing facilities, financial market utilities, rail lines that service U.S. Department of Defense (DOD) installations, etc.
  • Data: Businesses that engage with "sensitive personal data" are those that maintain or collect, directly or indirectly, the sensitive personal data of U.S. citizens,6 if identifiable, as opposed to aggregate, which (i) targets or tailors its products to sensitive U.S. government personnel or contractors; (ii) maintains or collects data on more than 1 million individuals; or (iii) has a demonstrated business interest in collecting data on more than 1 million individuals and that data is a part of the U.S. business's primary products or services. Sensitive data is defined to include 10 categories of data maintained or collected by U.S. businesses. These include data used to analyze or determine an individual's financial distress or hardship; the set of data in a consumer report; the set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance; data relating to the physical, mental, or psychological health condition of an individual; nonpublic electronic communication; geolocation data; biometric enrollment data; data stored and processed for generating a state or federal ID card; data concerning U.S. government personnel security clearance status; and the set of data in an application for a U.S. government personnel security clearance or an application for employment in a position of public trust. Genetic information is also included in the definition regardless of whether it meets (i), (ii), or (iii).7

Genetic Data and Biotechnology. The definition of sensitive personal data was left in FIRRMA to be developed by CFIUS. Under the final regulations, and in response to comments from industry participants, the final regulations recalibrate the provision on genetic testing in two ways: 1) by focusing the definition on genetic tests and 2) by limiting the coverage of the rule to identifiable data.8 CFIUS will be closely observing biotechnology and life sciences companies that operate in these sectors and identifying instances in which a foreign investment raises a national security concern. CFIUS will have expanded jurisdiction over U.S. businesses that collect or maintain records relating to a U.S. citizen's genetic information, such as a genetic test or individual or family history. This is the type of information that biotechnology or life sciences companies might collect and could lead to review.

2. Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remain mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person.9,10
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of "export control licensing requirements." In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to CFIUS.11 These provisions are expanded in the new, final regulations.12 The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition (M&A) transaction. This may act as a deterrent to the use of this mechanism.

3. Excepted Foreign States and Excepted Investors

FIRRMA issued a high-level directive13 to limit the application of CFIUS to particular groups of investors, thereby reining in the expanded jurisdiction but leaving CFIUS to develop these limitations. CFIUS published the list of the initial excepted states at the time it published the final regulations on Jan. 13, 2020. It includes Australia, Canada, and the UK. However, the new rules introduce a number of requirements before an investor from an excepted sate would qualify as an "excepted investor."14 To qualify, a foreign person must have a substantial connection to an excepted foreign state and additionally not have violated certain U.S. laws, including not having submitted material misstatement to CFIUS, violated material provision of a mitigation agreement, been subject to a presidential action under section 721, violated export control laws, or been convicted of a felony in U.S.

The rule proposes that the excepted foreign state15 definition operate as a two-factor conjunctive test. First, the state must be included in a defined group of eligible foreign states, which is separately published, effectively establishing a "white list." The countries on this initial list will have two years to ensure that their national security-based foreign investment review process and bilateral cooperation with the U.S. on such a process meet the requirements of the new regulations.16 This requires the establishment of a robust process to assess foreign investments for national security risk and to facilitate coordination with the United States. Beginning Feb. 13, 2022, CFIUS may add other countries to the initial list published on Jan. 13, 2020.17

In addition, the foreign investor must ensure that the "minimum excepted ownership"18– at least 50 percent of a publicly traded company or at least 80 percent of a privately held fund or entity – is held by U.S. persons or citizens of the excepted foreign state who are not also citizens of other countries. In addition, the investor must satisfy several specific tests – including having all of its directors, observers, and 10 percent or greater owners be from an excepted foreign state19 – before it can qualify for excepted status.

We expect considerable lobbying activity both by industry groups and states regarding the white list of excepted foreign states, vying for excepted foreign state privileges.

4. Private Equity Funds

Certain exceptions apply to investment by private equity funds in a TID business. Under FIRRMA, U.S. private equity funds with foreign limited partners will not be considered foreign – and thus within the reach of CFIUS – if four conditions are met.20 First, a fund with a foreign limited partner must be managed exclusively by a general partner (or equivalent) who is not a foreign person. Second, the firm's advisory board on which the foreign person sits may not have the ability to control in any way the investment decisions of the firm. Third, the foreign person may not have the ability to control the fund, including through investment decisions, ability to approve or disapprove decisions made by the managing partner, or unilaterally determine the compensation of the general partner. Finally, the foreign person may not have access to material, nonpublic technical information.

As a corollary to this exception, if a decision by a board requires a unanimous vote by the limited partners, CFIUS may find that the foreign limited partner control the investing fund or general partner. Similarly, if the foreign limited partner has been granted negative rights, CFIUS may find sufficient control by the foreign person to justify a review, regardless of whether the rights are exercised.

This treatment of private equity funds is in line with CFIUS' well-established practices and prior regulations.

5. Penalties

FIRRMA directs CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.21 Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.22 Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.23 Further guidance on penalties is expected in new rules by CFIUS.

6. Procedural Changes and Filing Fees

FIRRMA imposes a number of procedural changes to the CFIUS process. FIRRMA maintains core components of the current CFIUS three-step process for evaluating proposed or pending investments in U.S. firms, but increases the allowable time for reviews and investigations: 1) a 30-day declaration filing; 2) a 45-day national security review (from 30 days), including an expanded time limit for analysis by the Director of National Intelligence (from 20 to 30 days)24; 3) a 45-day national security investigation, with an option for a 15-day extension in extraordinary circumstances25; and 4) a 15-day presidential determination (unchanged).26 Beyond new timing requirements and decision timelines, FIRRMA introduces a filing fee of 1 percent of the transaction, not to exceed $300,000.27 Thus, the funding for CFIUS will be sourced from a $20 million annual appropriation, the filing fees, and through penalties. This funding will be critical as CFIUS estimates that under the new regime they will receive approximately 1,000 filings per year for review. New CFIUS regulations on filing fees are expected soon.

Comments from Interested Parties

As already noted, more than 60 companies and organizations submitted comments with regard to the proposed CFIUS regulations that took effect on Feb. 13, 2020. In summary, below are some of the more significant concerns of industry:

a) Definition of U.S. Business

No fewer than 10 organizations commented on the proposed definition of a U.S. business. In the original language, a U.S. business was defined as: "any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce." Under FIRRMA, the final clause is eliminated. It was commenters' position that the traditional jurisdiction should be maintained, as it would be counterproductive to remove that language from the definition. Businesses with no assets in the United States should not be considered U.S. businesses. Commenters also requested clarification with regard to whether an ownership interest in a U.S. business that invests in another U.S. business results in a covered transaction. CFIUS suggested "any entity, irrespective of nationality of the persons that control it, engaged in interstate commerce in the United States." Parties have until Feb. 18, 2020, to comment on this proposed definition.

b) Narrow the Scope of Sensitive Personal Data

Many organizations also commented on the scope of sensitive personal data. Biotechnology companies noted that they have access to genetic information and suggested that they be removed from the list of industries covered by the mandatory declaration requirement. Other companies requested that sensitive personal data be tailored to actual national security risks, positing that the current formulation is overbroad. In the final regulations, CFIUS declined to raise the threshold from 1 million individuals, but narrowed the definition of "genetic tests" and limited the coverage of the rule to identifiable data.

c) Foreign Excepted States

It was the position of a number of companies that "foreign excepted states" should be broadly designated, and that the definition should be clarified. Canada, the UK, Singapore, Australia, Japan, and Switzerland all requested excepted state status. Others commented that foreign excepted states should be tied to existing government lists (including all U.S. economic and military allies). There have been calls to clarify the "minimum excepted ownership" process, and suggestions that the rate be lowered from 90 percent to 75 percent. In the final regulations, CFIUS did lower the rate of minimum excepted ownership to 75 percent. Additionally, it named Australia, Canada, and the UK to an initial list of foreign excepted states.

Commenters were outraged that directors, observers, and 5 percent or greater owners of a company must be from an excepted foreign state before it can qualify for excepted status. They termed 5 percent "arbitrarily" and "unnecessarily low." They suggested either eliminating the requirement entirely, or raising the cap to at least 20 percent. In response, CFIUS revised the board member nationality criterion to allow up to 25 percent representation by foreign nationals of foreign states that are not excepted foreign states. In addition, it revised the percentage ownership limit for an individual investor in an excepted state from 5 percent to 10 percent.

d) Excepted Foreign Investor

Several companies submitted comments regarding excepted foreign investors, many indicating that the definition was too limited. Some requested clarification regarding which crimes would strip an entity of excepted foreign investor status, and whether an excepted foreign investor could be a dual-citizen. Some noted that the test for serving as an excepted investor is extremely difficult to satisfy even for well-respected investors from U.S. allied countries. Others promoted expanding the benefits awarded to excepted foreign investors, and implementing a more inclusive definition that should be based on certain criteria and not just on an excepted state. Finally, some proposed that CFIUS allow "excepted trusted investors" who are not from excepted foreign states be afforded the same excepted status. CFIUS made no changes to this rule in this regard.

e) Veto Rights v. Voting Rights

A number of companies sought to reaffirm the distinction between veto rights and voting rights, and sought a clarification of "voting interests" and the scope of "limited partner voting interest." They posited that voting interest should not include consent, veto, or other special rights, and should only include voting rights with regard to operations of the business. CFIUS made no change to this rule in response to comments.

f) Mandatory v. Voluntary Filing

Many organizations submitted comments regarding mandatory versus voluntary declarations. Most noted that the roles of the declarations should be narrowed and clarified, emphasizing that parties should be incentivized to file voluntary declarations, and that those declarations should be fast-tracked. They requested a carve-out from any mandatory filing requirements investments in early-stage research and development biotechnology companies. They expressed concern regarding the fact that CFIUS can still request a full notice after the 30-day review period and that this would inadvertently increase filing time. They further requested that the scope of the mandatory filing requirements for critical technology businesses be narrowed. Finally, they requested a clarification of the "substantial interest" requirement.

CFIUS noted in its guidance to the final published regulations that the rule integrates the mandatory declaration requirement from the Pilot Program. However, CFIUS anticipates issuing a separate notice of proposed rulemaking that would replace this requirement with a mandatory declaration requirement based upon export control licensing requirements. Additionally, in response to public comments, the rule exempts certain transactions from the critical technology mandatory declaration requirement. These exemptions relate to excepted investors, among others. According to the guidance, CFIUS anticipates that these exemptions will continue to apply even if the scope of the mandatory declaration requirement is modified.

g) Other Comments

  • Waivers: Certain organizations commented that there should be a waiver system in place from mandatory filing requirements. They suggested CFIUS create a waiver process through which a foreign person may petition to be exempted from mandatory filing requirements for a specified period, such as five years. They point out that FIRRMA creates a mechanism for this, but it does not appear in the regulations. The rule makes no change in response to these comments.
  • "Material nonpublic information": Several commenters wrote that "access" to material nonpublic information should be limited to actual access, not potential access. The rule makes no change in response to these comments.


FIRRMA and the much-awaited final regulations make a variety of sweeping changes to the CFIUS process that promise to bring more transactions under the scope of CFIUS review. These changes were implemented in response to increased national security concerns that were broadly shared by members of Congress. Although CFIUS will now be subjecting certain non-controlling investments to more scrutiny, the rules were carefully tailored so as not to stymie welcome foreign direct investment in the United States.


1 Interested persons may submit comments electronically through the federal government's eRulemaking portal or by mailing comments to: U.S. Department of the Treasury, Attention: Laura Black, Director of Investment Security Policy and International Relations, 1500 Pennsylvania Ave. NW, Washington, DC  20220.

2 New 31 C.F.R. §800.211.

3 FIRRMA §1703(a)(4)(D)(i)(I)-(III); 31 CFR §800.211(b).

4 FIRRMA §1703(a)(4)(B)(iii); new 31 C.F.R. §800.215.

5 Critical infrastructure is generally defined as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. FIRRMA §1703(a)(5); 31 CFR §800.214. This definition closely tracks the definition of "critical infrastructure" under FINSA and prior CFIUS regulations.

6 FIRRMA §1703(a)(4)(B)(iii)(III); 31 CFR §800.248(c).

7 31 CFR §800.241.

8 31 C.F.R. 241(a).

9 FIRRMA §1705(v)(IV)(bb)(AA).

10 31 CFR §800.244.

11 FIRRMA §1706(v)(1).

12 31 CFR §800.401.

13 FIRRMA §1703(a)(4)(E).

14 31 CFR §800.219.

15 31 CFR §800.218.

16 31 C.F.R. 800.218; 31 C.F.R. 802.1001

17 See Frequently Asked Questions on Final CFIUS Regulations Implementing FIRRMA, Jan. 13, 2020

18 31 CFR §800.233,

19 19 C.F.R. 800.219(a)(3)(iv).

20 FIRRMA §1703(a)(4)(D)(iv)(I).

21 31 C.F.R. 800.901(a).

22 31 C.F.R. 800.901(b).

23 31 C.F.R. 800.901(c).

24 31 C.F.R. 800.503(b).

25 31 C.F.R. 800.508(e).

26 FIRRMA §1714.

27 FIRRMA §1723(3)

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights